Bug 86854 - Segfault / invalid read in GooString::GooString / PSOutputDev::setupFont when using pdftops
Summary: Segfault / invalid read in GooString::GooString / PSOutputDev::setupFont when...
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-29 16:39 UTC by Hanno Böck
Modified: 2015-02-07 21:28 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
fuzzed pdf crashing pdftops (8.08 KB, text/plain)
2014-11-29 16:39 UTC, Hanno Böck
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck 2014-11-29 16:39:14 UTC
Created attachment 110231 [details]
fuzzed pdf crashing pdftops

The attached file will cause a segfault when running through pdftops (latest poppler version, 2.18.1).

valgrind output:
==12858== Invalid read of size 4
==12858==    at 0x4EF2557: GooString::GooString(GooString const*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBCEF5: PSOutputDev::setupFont(GfxFont*, Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBD2DE: PSOutputDev::setupFonts(Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBBA46: PSOutputDev::setupResources(Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBC05C: PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, int, int, bool) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBD8AA: PSOutputDev::init(void (*)(void*, char const*, int), void*, PSFileType, char*, PDFDoc*, int, int, PSOutMode, int, int, int, int, bool, int, int, bool, bool) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x401EC0: main (in /usr/bin/pdftops)
==12858==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==12858== 
==12858== 
==12858== Process terminating with default action of signal 11 (SIGSEGV)
==12858==  Access not within mapped region at address 0x18
==12858==    at 0x4EF2557: GooString::GooString(GooString const*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBCEF5: PSOutputDev::setupFont(GfxFont*, Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBD2DE: PSOutputDev::setupFonts(Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBBA46: PSOutputDev::setupResources(Dict*) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBC05C: PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, int, int, bool) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x4FBD8AA: PSOutputDev::init(void (*)(void*, char const*, int), void*, PSFileType, char*, PDFDoc*, int, int, PSOutMode, int, int, int, int, bool, int, int, bool, bool) (in /usr/lib64/libpoppler.so.47.0.0)
==12858==    by 0x401EC0: main (in /usr/bin/pdftops)
==12858==  If you believe this happened as a result of a stack
==12858==  overflow in your program's main thread (unlikely but
==12858==  possible), you can try to increase the size of the
==12858==  main thread stack using the --main-stacksize= flag.
==12858==  The main thread stack size used in this run was 8388608.


Address Sanitizer output:
=================================================================
==12859==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000054dcfc sp 0x7fff79476f00 bp 0x60400001c2d0 T0)
    #0 0x54dcfb in GooString::GooString(GooString const*) /tmp/poppler-0.28.1/goo/GooString.cc:240
    #1 0x52ebc0 in GooString::copy() const ../goo/GooString.h:75
    #2 0x52ebc0 in PSOutputDev::setupFont(GfxFont*, Dict*) /tmp/poppler-0.28.1/poppler/PSOutputDev.cc:1882
    #3 0x53043d in PSOutputDev::setupFonts(Dict*) /tmp/poppler-0.28.1/poppler/PSOutputDev.cc:1831
    #4 0x51fc4a in PSOutputDev::setupResources(Dict*) /tmp/poppler-0.28.1/poppler/PSOutputDev.cc:1734
    #5 0x5222b1 in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, int, int, bool) /tmp/poppler-0.28.1/poppler/PSOutputDev.cc:1629
    #6 0x525a89 in PSOutputDev::init(void (*)(void*, char const*, int), void*, PSFileType, char*, PDFDoc*, int, int, PSOutMode, int, int, int, int, bool, int, int, bool, bool) /tmp/poppler-0.28.1/poppler/PSOutputDev.cc:1390
    #7 0x40d9b0 in main /tmp/poppler-0.28.1/utils/pdftops.cc:409
    #8 0x7f6da8758f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #9 0x413fd3 (/tmp/poppler-0.28.1/utils/pdftops+0x413fd3)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/poppler-0.28.1/goo/GooString.cc:240 GooString::GooString(GooString const*)

This was found with the tool american fuzzy lop.
Comment 1 Albert Astals Cid 2015-02-07 21:28:52 UTC
Fix pushed


bug/show.html.tmpl processed on Mar 26, 2017 at 03:29:20.
(provided by the Example extension).